What Are the Sources of Privacy Law?

Most people consider the right to privacy to be a fundamental human right. Several different sources define the scope of this right to privacy. In the United States these sources include:

• Constitutional law
• Federal law
• State law
• Common law
• Voluntary agreements

Constitutional Law

The U.S. Constitution, the source of legal authority for the U.S. government, states the relationship between the federal government and the states. It also provides some authority for certain individual rights retained by all U.S. citizens. For example, constitutional rights are basic individual rights recognized in the U.S. Constitution.

Most people consider privacy to be a basic constitutional right. Yet, the U.S. Constitution does not use the word privacy anywhere. However, you can piece together the constitutional right to privacy from several different provisions. U.S. Supreme Court cases have interpreted the scope of this right. When we talk about a constitutional right to privacy, we are most often referring to the right to be free from government observation and intrusion.

The following amendments to the U.S. Constitution contribute to the right to privacy:

• First Amendment, which reads, “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.” U.S. Constitution, amend. 1.

  This amendment sets forth the right to freedom of religion, speech, the press, and assembly. Within these rights is the implicit right of freedom of thought, which has a privacy component.

• Third Amendment, which reads, “No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law.” U.S. Constitution, amend. 3.

  This amendment means that the government cannot force people to house government soldiers in their homes. This gives people a limited right to privacy in their homes.

• Fourth Amendment, which reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause. . . .” U.S. Constitution, amend. 4.

  This amendment truly forms the basis for many of the privacy rights that Americans enjoy today. This amendment protects against unreasonable government searches and seizures.

  NOTE

  The Constitutional Convention adopted the U.S. Constitution in 1787, which applies to all the states in the country. It is both the oldest written constitution still in use by any nation today as well as the shortest constitution.

• Fifth Amendment, which reads, “No person shall be . . . compelled in any criminal case to be a witness against himself. . . .” U.S. Constitution, amend. 5.

  This amendment provides several protections. Many people know it for its “right to remain silent.” One interpretation is that it protects the privacy of one’s thoughts.

Each of these amendments sets forth general elements that are part of an overall right to privacy. The U.S. Supreme Court first acknowledged that a person has an interest in being “let alone” in 1834 in a case called Wheaten v. Peters (1834). In 1890, Samuel Warren and Louis Brandeis more fully explained this right to privacy in their article “The Right to Privacy.” This article referred to a right they called “the right to be let alone.” Legal cases today still refer to the phrase “the right to be let alone,” which now includes the idea that people have the right to be free from intrusions by the government.

The first U.S. Supreme Court decision to state a constitutional right to privacy was Griswold v. Connecticut (1965). In this case, the Supreme Court found that the right to privacy was a fundamental right that was present in the Constitution. Subsequent Supreme Court cases have further defined the scope of this right.

In Katz v. United States (1967), the U.S. Supreme Court held that the Fourth Amendment of the U.S. Constitution protects a person’s right to privacy. The holding meant that the right of privacy belongs to the individual and not just locations (such as a person’s home). In this case, Charles Katz was convicted of illegal gambling. He had used a public payphone to place his bets, and the government listened to his telephone conversations through a listening device attached to the phone booth, even though the government did not have a warrant to listen to the conversations. The conversations were later used as evidence to convict Katz. The U.S. Supreme Court held that Katz’s right to privacy was not diminished just because he used a public payphone booth. Justice Harlan, in his concurring opinion in this case, used the famous term “a reasonable expectation of privacy.”

FYI

“A reasonable expectation of privacy” is a belief regarding private places that society recognizes as valid. Courts use the idea of a reasonable expectation of privacy to determine whether an ordinary person would believe he or she was in a private place. If a person believes that he or she is in a private place, then there are limits on the government’s ability to observe or interfere with the person while he or she is in that space. For instance, people have a reasonable expectation of privacy in their homes. This is why government agencies usually must have a search warrant before searching a person’s home. However, people do not have a reasonable expectation of privacy when they are out on a public street.

In Whalen v. Roe (1977), the U.S. Supreme Court specifically recognized a right of “informational privacy.” This right focuses on the ability to control information. This case reviewed a New York law that created a state database of the names and addresses of patients who were prescribed narcotic drugs, based on mandatory information provided by doctors. The New York law was challenged on the basis that it unconstitutionally infringed on a right to privacy.

The Supreme Court upheld the validity of the New York law, noting that the law included procedures that properly protected the privacy of information included in the database. However, the Court did not reject the possibility that some types of government data collection would be improper. The Court wrote, “We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.” As early as 1977 the Court recognized the future privacy concerns inherent in Big Data collections.

Other Supreme Court cases have continued to define the scope of the constitutional right to privacy. United States v. White (1971) found that there is no right of privacy in information voluntarily shared with another person. In Smith v. Maryland (1979), the Court found that there is no right to privacy in electronic communications’ routing information. In NASA v. Nelson (2011), the Court found that performing background checks on contract NASA employees does not violate any constitutional right to information privacy. And in Carpenter v. United States (2018), the Court ruled that the government must get a warrant before accessing a person’s cell phone location data.

Federal Law

Federal laws are the laws that a country’s federal government creates. No comprehensive data privacy law exists in the United States. Similar to the laws that regulate information security, U.S. federal laws that address information privacy are also industry-based. These laws put limits on the use of personal information based on the nature of the underlying data. Congress has enacted laws to protect various types of data, some of which are described in this section.

Freedom of Information Act (1966)³

This Act establishes the public’s right to request information from federal agencies, including paper documents and electronic records. The law applies to federal executive branch agencies and offices, which must comply with the law and provide requested information. There are nine FOIA exemptions; data in these categories do not have to be provided to the requester. Agencies are required to provide information to the public about how to make a FOIA request. Anyone can file a FOIA request. For more information on FOIA, see http://www.foia.gov.

Privacy Act (1974)⁴

This Act applies to records created and used by federal agencies. It states the rules for the collection, use, and transfer of personally identifiable information (PII) and requires federal agencies to tell people why they are collecting personal information. Federal agencies also must provide an annual public notice, which must describe their record-keeping systems and the data in them. The Act also requires federal agencies to have appropriate administrative, technical, and physical safeguards to protect the security of the systems and records they maintain.

E-Government Act (2002)⁵

This Act requires the federal government to use information technologies that protect privacy. The Act requires federal agencies to conduct Privacy Impact Assessments (PIAs), which are done when an agency develops information technology systems to collect and process individually identifiable information. A PIA makes sure that systems are evaluated for privacy risks. The law also requires privacy protection measures to secure the data in the systems. Federal agencies also must post their privacy policies to their websites.

Electronic Communications Privacy Act (1986)⁶

This Act sets out the provisions for access, use, disclosure, and interception of electronic communications, including telephone, cell phones, computers, email, faxes, and texting. The government cannot access these types of communications without a search warrant. This Act is an amendment to the original Wiretap Act and expands that act’s privacy protections. The Act includes three parts:

• The Wiretap Act
• The Stored Communications Act
• The Pen Register Act

The Act was extensively updated by the 2001 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act).

The Wiretap Act (1968, amended)⁷

These statutes forbid the use of eavesdropping technologies without a court order. The law protects all email, radio communications, data transmission, and telephone calls. Amendments to the original Wiretap Act include protection for electronic communications.

Census Confidentiality (1952)⁸

This law requires the U.S. Census Bureau to keep census responses confidential. The statute also forbids the Bureau from disclosing any data allowing a person to be individually identified. The law states that census responses can be used only for statistical purposes that do not show individual or household personal data. A “census” is a count of the population of a country.

In the United States, people are required by law to respond to the census. People were allowed to respond to the 2020 U.S. census online, marking the first time that an online response option was offered for a decennial census. The 2020 U.S. Census is also unique because many of the deadlines for responding to the census were extended because of the COVID-19 nationwide public health emergency.

Mail Privacy Statute (1971)⁹

This law protects U.S. postal mail from being opened by another without the recipient’s consent. Domestic mail can be opened without consent only if there is a valid search warrant for that mail. This law only applies to postal mail.

Cable Communications Policy Act (1984)¹¹

This Act is not specifically about privacy, but it does contain privacy provisions. It states that cable companies must provide a yearly written privacy notice to each customer that informs the customers about the cable company’s data collection and disclosure practices. Cable providers also must ask their customers for permission before using the cable system to collect personal information. In addition, the Act requires cable providers to get customer consent before they disclose customer data. However, consent is not required if the disclosure is required by a court order.

Driver’s Privacy Protection Act (1994)¹²

This Act requires states to protect the privacy of personal information contained in motor vehicle records. Protected information includes any personal data in the record, such as the driver’s name, address, phone number, SSN, driver’s license identification number, photograph, height, weight, sex, and date of birth.

The U.S. Congress passed the Driver’s Privacy Protection Act, introduced by Senator Barbara Boxer of California, in 1994. One of Senator Boxer’s reasons for introducing the Act was the 1989 murder of a California actor. A stalker obtained the actor’s address from the California Department of Motor Vehicles, then later went to the actor’s home and killed her.

State Laws

State constitutions are the documents that form the individual state governments and are the highest form of law for state governments. They apply to the people who live in a particular state.

Eleven state constitutions recognize a right to privacy: Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, New Hampshire, South Carolina, and Washington.¹³ These state constitutions provide clear privacy guarantees. The Montana state constitution reads, “The right of individual privacy is essential to the well-being of a free society and shall not be infringed without the showing of a compelling state interest.”¹⁴

The California state constitution notes, “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”¹⁵ In general, California has been a leader among states in enacting laws that recognize and protect the privacy rights of its citizens.

The State of New York was the first state to add a right of privacy into its statutes after Warren and Brandeis published their article “The Right to Privacy.”¹⁶ Many states have since written a right of privacy into their laws.

Other states have recognized a right of privacy through their case law. In 1905, for example, the Georgia Supreme Court recognized a right to privacy,¹⁷ making it the first state to recognize, through case law, a right to privacy implicit in its own Constitution.

State governments also create laws to protect data. For example, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted breach notification laws.¹⁸ These laws require an organization to notify state residents if it experiences a security breach that involves the personal information of the residents.

States also have industry-specific laws that protect certain types of data, such as financial, health, and motor vehicle information. For example, as of this writing, 26 states have enacted laws to prevent employers from asking employees for their social media passwords.¹⁹

Common Law

The U.S. Supreme Court did not specifically recognize a constitutional right to privacy until 1965. However, U.S. common law recognized certain privacy torts as early as 1902. A tort is some sort of wrongful act or harm that hurts a person. Tort law governs disputes between individuals. In a tort case, the injured party may sue the wrongdoer for damages.

Common law is a body of law developed through legal tradition and court cases. For the most part, the U.S. common law is a body of law and legal principles inherited from England. Common law changes very slowly. It develops as judges decide court cases.

Four privacy torts still exist today, and most states give either common law or statutory recognition to these torts. Statutory recognition means that the state has included the tort in the written laws of the state. The four privacy torts are:

• Intrusion into seclusion
• Portrayal in a false light
• Appropriation of likeness or identity
• Public disclosure of private facts

Intrusion Into Seclusion

The intrusion into seclusion privacy tort is the act of invading a person’s private space. The intrusion into private space takes several forms: It can be a physical intrusion, but it can also be an intrusion through electronic means, such as using an eavesdropping device. The intrusion must be highly offensive to a reasonable person. In this tort, the legal wrong occurs as soon as the private space is invaded. Understanding what constitutes a private space is important for this tort.

In 2009, the Supreme Court of Ohio found that people have a reasonable expectation of privacy in their cell phones.²⁰ This is because cell phones can hold large amounts of personal data. Other courts have held that people have a reasonable expectation of privacy in the data stored on their personal computers. This is especially true if they take steps to protect the data, including encrypting the data or using a password to protect the computer.

Portrayal in a False Light

The portrayal in a false light privacy tort involves publishing highly offensive private information about an individual to create a bad impression. The information published is true, but it is published in an offensive way. This tort often is confused with defamation, which is another type of tort that involves maliciously saying false things about another person.

The portrayal in a false light privacy tort occurs when a person’s photograph or image is used to create a bad impression. For example, taking a picture for a magazine of a person standing outside of a bar might create the impression that the person is a customer, which might be offensive if the person holds a position of high respect in the community. In this case, the person photographed could sue for invasion of privacy based on portrayal in a false light.

In 1993, the Alabama Supreme Court reviewed a false light case.²¹ In that case, a greyhound racetrack took a picture of a group of men sitting together, which was later used in advertising materials. The men sued for false light. The Alabama court held that the men did not state a claim for false light because they were in a public place. The court said there was nothing offensive about sitting at the track. It also said that the men consented to the taking of the photograph because they did not move or object when the photographer appeared and began taking pictures. These types of torts are very dependent on the facts and circumstances of each case.

Appropriation of Likeness or Identity

The appropriation of likeness or identity privacy tort, the oldest privacy tort, involves appropriating, or taking, an individual’s name or likeness without that person’s consent for financial gain. This tort often occurs with public figures if their likeness is used without their permission to sell a product or service. Court cases have held that likeness includes identifiable characteristics of a person, including his or her voice or mannerisms.

In 1992, a Samsung advertisement featured a robot dressed in a blond wig and evening gown hosting a futuristic version of a popular game show. Vanna White, a game show host, sued Samsung for appropriating her identity for commercial gain.²² She successfully argued that being a game show host on a popular game show was her identity. She won the case.

Public Disclosure of Private Facts

The public disclosure of private facts privacy tort involves the publication of embarrassing private facts. The facts publicized must be so embarrassing that a reasonable person would be offended by their publication. The disclosures must be true. Also, they must be truly private. Facts published as part of the public record are not private. Many courts have applied a “newsworthy” defense to this tort, which allows the media to report on newsworthy incidents without fearing a lawsuit for public disclosure of private facts.

The Maryland Court of Appeals has held that the publication of a criminal “mug” shot is not a privacy violation based on the public disclosure of private facts privacy tort.²³ This is because the mug shot is originally published as part of the public record.

Voluntary Agreements

Protecting personal data privacy grows harder as technology advances. People must understand their privacy choices in order to protect their data. Governments and organizations must understand the information that they need to provide. Organizations use fair information practice principles to help specify how they collect and use data. However, organizations are not legally required to follow these principles; instead, they use them to make sure they are properly informing people about their data collection practices.

The U.S. Department of Health, Education, and Welfare developed the “Code of Fair Information Practice Principles” in 1973 because there was no federal law that protected personal data. These principles stated that there should be no secret record-keeping systems. The principles also required that individuals have a way to find out if information is collected about them, because individuals must have a way to correct inaccurate data. These practices eventually formed the basis for the 1974 federal Privacy Act.

In 1980, the Organization for Economic Cooperation and Development (OECD) adopted the “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” to protect personal data. They are an extension of the 1973 U.S. fair information practices. The United States was actively involved in creating the OECD guidelines, which help guide privacy legislation for OECD members. These guidelines were revised in 2013. The OECD continues to provide recommendations on how to implement the guidelines in today’s complex technology environment.

The OECD guidelines contain eight privacy principles:

• The Collection Limitation Principle—Individuals must know about and consent to the collection of their data. This is sometimes known as the data minimization principle.
• The Data Quality Principle—Any data collected must be correct.
• The Purpose Specification Principle—The purpose for data collection should be stated to individuals before their data is collected.
• The Use Limitation Principle—Data should be used only for the purposes stated when it was collected.
• The Security Safeguards Principle—The collected data must be protected from unauthorized access.
• The Openness Principle—People can contact the entity collecting their data to discover where their personal data is collected and stored. This is sometimes known as the data transparency principle.
• The Individual Participation Principle—People must know if data about them has been collected. People also must have access to their collected information.
• The Accountability Principle—The entity collecting data must be held accountable for following the privacy principles.

Compliance with fair information practice principles is encouraged through voluntary membership in self-regulating organizations. Organizations often choose to regulate themselves to keep governments from making laws that would limit their behavior. Organizations can participate in a seal program to show their compliance with fair information practice principles.

A seal program, run by a trusted third-party organization, verifies that an organization meets industry-recognized privacy practices. If the organization meets the required standards, then it is allowed to display a privacy seal on its website. The seal, an image that customers recognize, is used to signify a trustworthy organization. Common seal programs in the United States are WebTrust, TRUSTe, and the Better Business Bureau.